Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WireGuard configuration #921

Closed
gsanchietti opened this issue Nov 19, 2024 · 9 comments
Closed

WireGuard configuration #921

gsanchietti opened this issue Nov 19, 2024 · 9 comments
Labels
verified All test cases were verified successfully
Milestone
NethSecurity 8.4

Comments

@gsanchietti
Copy link
Member

Description:
This feature introduces WireGuard configuration from both the command line interface (CLI) and the user interface (UI) for the NethSecurity project. It allows administrators to manage multiple WireGuard server instances and their associated peers (accounts) with specific configurations and features.

Features:

  • Support for multiple WireGuard server instances
  • Each instance has its own reserved zone
  • Static IP allocation for all peers (only /24 networks are supported)
  • Ability to download peer configuration as text or QR code
  • Net-to-net (site-to-site) mode
  • Support for peer pre-shared keys
  • Link a local or remote user to a given WireGuard account
  • Use WireGuard account IP addresses within firewall objects
  • Add an API to import configuration files for firewalls used as peers in a net-to-net setup
  • Support for UI to create multiple instances of servers
    • If a server is associated with a user database, all accounts must be tied to existing users (similar to OpenVPN RW)
    • If a server is not associated with a user database, it is possible to create custom WireGuard-only users, typically used for connecting multiple sites in point-to-point or star topology
  • Support kernel-level debug

References:
@gsanchietti gsanchietti added this to the NethSecurity 8.6 milestone Nov 19, 2024
@github-project-automation github-project-automation bot moved this to ToDo 🕐 in NethSecurity Nov 19, 2024
@gsanchietti gsanchietti added the milestone goal 👑 This describes an announced milestone goal label Nov 19, 2024
This was referenced Nov 28, 2024
Merged
Open
gsanchietti added a commit that referenced this issue Dec 12, 2024
@gsanchietti
feat: WireGuard configuration (#888)
34fcbf2 
WireGuard CLI configuration

 #921
@github-actions GitHub Actions
Copy link
Contributor

Testing image version: 8-23.05.5-ns.1.3.0-134-g34fcbf2a

@github-actions github-actions bot added the testing Packages are available from testing repositories label Dec 12, 2024
@gsanchietti gsanchietti mentioned this issue Dec 12, 2024
Open
10 tasks
@gsanchietti gsanchietti removed the milestone goal 👑 This describes an announced milestone goal label Dec 12, 2024
@gsanchietti gsanchietti moved this from ToDo 🕐 to In Progress 🛠 in NethSecurity Dec 12, 2024
@gsanchietti
Copy link
Member Author

Test Case for "Get good defaults"

  1. Description: Verify that the default instance parameters are retrieved correctly.
  2. Command: /usr/libexec/rpcd/ns.wireguard call get-instance-defaults
  3. Expected Result: The response should include parameters like listen_port, instance, network, routes, and public_endpoint.

Test Case for "Create the instance"

  1. Description: Create a WireGuard instance with specified parameters and verify its creation.
  2. Command: echo '{"listen_port": 51820, "name": "wg1", "instance": "wg1", "enabled": true, "network": "10.103.1.0/24", "routes": ["192.168.100.0/24"], "public_endpoint": "1.2.3.4", "dns": [], "user_db": ""}' | /usr/libexec/rpcd/ns.wireguard call set-instance
  3. Expected Result: The instance should be created, and the server should get the first IP of the network, e.g., 10.98.95.1.

Test Case for "Add a new account (peer)"

  1. Description: Add a new peer to the instance and verify its addition.
  2. Command: echo '{"enabled": true, "instance": "wg1", "account": "user1", "route_all_traffic": false, "client_to_client": false, "ns_routes": [], "preshared_key": true}' | /usr/libexec/rpcd/ns.wireguard call set-peer
  3. Expected Result: The peer should be added to the instance with the specified parameters.

Test Case for "Download the account configuration"

  1. Description: Download the configuration for a peer account and verify the output.
  2. Command: echo '{"instance": "wg1", "account": "user1"}' | /usr/libexec/rpcd/ns.wireguard call download-peer-config | jq -r .config
  3. Expected Result: The configuration should be downloaded in text format.

Test Case for "Configure a Desktop/Mobile device"

  1. Description: Generate a QR code for a peer account and verify it can be scanned and used.
  2. Command: echo '{"instance": "wg1", "account": "user1"}' | /usr/libexec/rpcd/ns.wireguard call download-peer-config | jq -r .qrcode | base64 -d
  3. Expected Result: The QR code should be generated and printable.

@gsanchietti gsanchietti moved this from In Progress 🛠 to Testing in NethSecurity Dec 12, 2024
@cotosso
Copy link
Contributor

cotosso commented Dec 16, 2024
edited
Loading

TEST CASE for Get Good defaults

root@NSec8-VM:~# /usr/libexec/rpcd/ns.wireguard call get-instance-defaults
{"listen_port": 51820, "instance": "wg1", "network": "10.9.110.0/24", "routes": ["10.77.88.0/24", "192.168.56.0/24"], "public_endpoint": ""}

everything works fine except for the public endpoint which has no value.
Said that if I try to get the public endpoint for OpenVPN (server or RW) I have thew same result, so it seems to be a global issue, not a specific one of WG.

Environment:
Virtual machine going to internet through another firewall.

@cotosso
Copy link
Contributor

cotosso commented Dec 16, 2024

TEST CASE for "Create the instance"

root@NSec8-VM:~# echo '{"listen_port": 51820, "name": "wg1", "instance": "wg1", "enabled": true, "network": "10.103.1.0/24", "routes": ["192.168.100.0/24"], "public_endpoint": "1.2.3.4", "dns": [], "user_db": ""}' |  /usr/libexec/rpcd/ns.wireguard call set-instance
{"public_key": "10VNMyuL/4kZz2IGnxlCBFggtxgrXP1IifVZGfuoaBE="}

instance has been created but we need some command more to see the wg interface

uci commit network && uci commit firewall
reload_config

and then everything is fine

10: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.103.1.1/32 brd 255.255.255.255 scope global wg1
       valid_lft forever preferred_lft forever

@cotosso
Copy link
Contributor

cotosso commented Dec 16, 2024

Test Case for "Add a new account (peer)"

root@NSec8-VM:~# echo '{"enabled": true, "instance": "wg1", "account": "user1", "route_all_traffic": false, "client_to_client": false, "ns_routes": [], "preshared_key": true}' | /usr/libexec/rpcd/ns.wireguard call set-peer
{"section": "wg1_user1_peer"}

some commit and restart:

root@NSec8-VM:~# uci commit network
root@NSec8-VM:~# reload_config

and then I can see the new account inside the configuration

config wireguard_wg1 'wg1_user1_peer'
        option public_key '3Kirpj+r70ZEng0ZLCp3/X8/V7rFHRGB+66SQ8SgDDw='
        option private_key 'WOepFqyNkpg3C5i+KxVxwMnBhkJn2m/W3/BCwrvg4Xg='
        option ns_ip '10.103.1.2'
        option persistent_keepalive '25'
        option description 'user1'
        option ns_link 'network/wg1'
        option route_allowed_ips '1'
        option disabled '0'
        option ns_route_all_traffic '0'
        option ns_client_to_client '0'
        list allowed_ips '10.103.1.2'
        option preshared_key 'KiXANB3TIisUgdlLvrC0EkxDCMy7SRiI2UqCk8oNmAk='

@gsanchietti
Copy link
Member Author

gsanchietti commented Dec 16, 2024
edited
Loading

Environment: Virtual machine going to internet through another firewall.

That's the issue: probably the firewall has DNS proxy configured that intercepts the request.

@gsanchietti gsanchietti added verified All test cases were verified successfully testing Packages are available from testing repositories and removed testing Packages are available from testing repositories verified All test cases were verified successfully labels Dec 16, 2024
@nethbot nethbot moved this from Testing to Verified in NethSecurity Dec 16, 2024
@nethbot nethbot moved this from Verified to Testing in NethSecurity Dec 16, 2024
@cotosso
Copy link
Contributor

cotosso commented Dec 16, 2024

TEST CASE for "Download the account configuration"

Everything went fine

root@NSec8-VM:~# echo '{"instance": "wg1", "account": "user1"}' | /usr/libexec/rpcd/ns.wireguard call download-peer-config | jq -r .config
# Account: user1 for wg1
[Interface]
PrivateKey = WOepFqyNkpg3C5i+KxVxwMnBhkJn2m/W3/BCwrvg4Xg=
Address = 10.103.1.2
# Custom DNS disabled

[Peer]
PublicKey = 10VNMyuL/4kZz2IGnxlCBFggtxgrXP1IifVZGfuoaBE=
PreSharedKey = KiXANB3TIisUgdlLvrC0EkxDCMy7SRiI2UqCk8oNmAk=
AllowedIPs = 192.168.100.0/24,10.103.1.1
Endpoint = 1.2.3.4:51820
PersistentKeepalive = 25

@cotosso
Copy link
Contributor

cotosso commented Dec 16, 2024

TEST CASE for "Configure a Desktop/Mobile device"

Everything went fine:
QR code has been generated and correctly scanned/importaed by the wireguard android app.

@cotosso cotosso added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Dec 16, 2024
@nethbot nethbot moved this from Testing to Verified in NethSecurity Dec 16, 2024
@gsanchietti
Copy link
Member Author

Released on 23.05.5-ns.1.4.0

@github-project-automation github-project-automation bot moved this from Verified to Done ✅ in NethSecurity Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
NethSecurity
Archived in project
Milestone
NethSecurity 8.4
Development

No branches or pull requests
2 participants
@gsanchietti @cotosso